Super helpful, thank you Sam! On Thu, 11 Jul 2024, 18:01 Sam Morris via FreeIPA-users, < [email protected]> wrote:
> On 11/07/2024 14:36, David Harvey via FreeIPA-users wrote: > > Dear list, > > > > I'm thinking of making our border devices our primary port of call for > > DNS , and setting them to forward to FreeIPA. I found an inconclusive > > thread saying that this might break dyndns for my otherwise happy IPA > > clients. > > Does dyndns working rely upon clients having IPA servers setups as their > > DNS server? I couldn't see an sssd option of "send updates here (only > > use this NIC)". > > There are two parts to the DNS update process. > > SSSD first needs to decide if a DNS update is necessary. It does this by > querying the system's configured nameservers for the system's hostname, > and checking the A/AAAA RRs in the response. So as long as 'delv -i > $HOSTNAME' keeps working, this should be fine. > > If, as a result of that query, SSSD decides an update is necessary, then > it will launch nsupdate(1) to perform the update. nsupdate tries to > determine the DNS zone's primary server by doing the equivalent of 'delv > -i -t SOA ipa.example.com'. It then sends DNS update commands to the > primary server directly. > > Therefore, if you block the ability for your IPA clients to connect > directly to your IPA servers on either port 53/tcp or 53/udp then you'll > break dynamic DNS updates. But other than those DNS update commands, I > wouldn't expect to see DNS traffic headed directly to your IPA servers, > because most general purpose DNS lookups on your IPA clients will be > from NSS and/or DNS client libraries talking to the system's configured > resolvers. > > -- > Sam Morris <https://robots.org.uk/> > PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 > > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
